1. Field of the Invention
This invention relates to client authentication in networked computer systems, and specifically to resource based authentication.
2. Description of the Related Art
Companies need to store and make available an ever-increasing amount of information. Providing different types of information to people in an efficient, yet secure manner poses a considerable challenge. Companies must determine, and enforce, who is allowed to view each piece of information. Generally, the functions a person performs with or within the company define what information that person is allowed to use. Some information is available to everyone. Employees may be given broad access to the information related to their jobs, while business partners are generally given more restricted access based upon agreements setup between companies.
A common solution is to grant access to information on a per-application basis. Administrators setup usernames and passwords to govern access to the information they control. Such usernames and passwords are frequently setup individually for each resource a person needs to access when they first need such access. This also means that the same person may have to maintain an increasing number of user names and passwords.
Another alternative is to use group or role-based authentication. This is where users are assigned various “roles” relating to the type of information and services they use. One benefit of role-based authentication is that once a user has been authenticated, a web server may use defined roles to determine which resources that user is granted access.
In such a system, resource access is generally linked to user roles. An authenticated user's roles are matched against those roles allowed to use a certain resource. For example, a company's web server may provide general product information, internal product information, and confidential employee data. Customers may be able to view the general product information, employees may use the internal product information, and perhaps the confidential employee data is only available to the human resources department. To support these requirements, the company could assign each user the role of customer, employee or HR employee. Then, after a user was authenticated by a username/password system, that user's role might be looked up and used to determine whether to grant or deny access to certain resources.